基于混杂模型的上下文相关主机入侵检测系统
DOI:
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

Supported by the National Natural Science Foundation of China under Grant Nos.60403006, 60503046 (国家自然科学基金)


Context Sensitive Host-Based IDS Using Hybrid Automaton
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    主机入侵检测的关键是监测进程的运行是否正常.现有的基于静态分析建模的方法具有零虚警的优良特性,但是,由于缺乏精确性或者效率的问题仍然不能实际使用,先前的工作试图在这两者之间寻找平衡点.基于NFA(nondeterministic finite automaton)的方法高效但是不够精确,基于PDA(push down automaton)的方法比较精确但却由于无限的资源消耗而不能应用.其他模型,例如Dyck模型、VPStatic模型和IMA模型使用一些巧妙的方法提高了精确性又不过分降低可用性,但是都回避了静态分析中遇到的间接函数调用/跳转问题.提出一种静态分析-动态绑定的混杂模型(hybrid finite automaton,简称HFA)可以获得更好的精确性并且解决了这一问题.形式化地与典型的上下文相关模型作比较并且证明HFA更为精确,而且HFA更适合应用于动态链接的程序.还给出了基于Linux的原型系统的一些实现细节和实验结果.

    Abstract:

    A key function of a host-based intrusion detection system is to monitor program execution. Models constructed based on static analysis have the advantage of not producing false alarms; still, they can not be put into practice due to imprecision or inefficiency of the model. The prior work has shown a trade-off between efficiency and precision. In particular, models based upon non-deterministic finite state automaton (DFA) are efficient but lack precision. More accurate models based upon pushdown automaton (PDA) are very inefficient to operate due to non-determinism in stack activity. DYCK model, VPStatic model and IMA use some subtle approaches to achieve more determinism by extracting information about stack activity of the program or inserting code to expose program state or just inline the local automaton but still can not solve the problem of indirect call/JMP. This paper presents a new training-free model (hybrid finite automaton, HFA) to gain more determinism and resolves indirect call/JMP through static-dynamic hybrid approach. The results show that in run-time, these models slowed the execution of the test programs by 5% to 10%. This paper also formally compares HFA with some typical models and proves that HFA is more accurate than others and it is more suitable for dynamic linked applications. Some technical details of the protocol type system on Linux and experimental results are also presented in the paper.

    参考文献
    相似文献
    引证文献
引用本文

李 闻,戴英侠,连一峰,冯萍慧.基于混杂模型的上下文相关主机入侵检测系统.软件学报,2009,20(1):138-151

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2007-02-27
  • 最后修改日期:2007-08-03
  • 录用日期:
  • 在线发布日期:
  • 出版日期:
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号